Windows includes W32Time, the Time Service tool that is required by the Kerberos...

Windows
includes W32Time, the Time Service tool that is required by the
Kerberos authentication protocol. The purpose of the Windows Time
service is to make sure that all computers that are running Microsoft
Windows 2000 or later versions in an organization use a common time.

To guarantee appropriate common time usage, the Windows Time service
uses a hierarchical relationship that controls authority, and the
Windows Time service does not permit loops. By default, Windows-based
computers use the following hierarchy:

All client desktop computers nominate the authenticating domain controller as their in-bound time partner.

All member servers follow the same process that client desktop computers follow.

All
domain controllers in a domain nominate the primary domain controller
(PDC) operations master as their in-bound time partner.

All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

In this hierarchy, the PDC operations master at the root of the forest
becomes authoritative for the organization. We highly recommend that
you configure the authoritative time server to gather the time from a
hardware source. When you configure the authoritative time server to
sync with an Internet time source, there is no authentication. We also
recommend that you reduce your time correction settings for your servers
and stand-alone clients. These recommendations provide more accuracy
and security to your domain.

Configuring the Windows Time service to use an internal hardware clock

To have us configure the Windows Time service to use an internal hardware clock for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me

To fix this problem automatically, click the Fix it button or link. Click Run in the File Download dialog box, and follow the steps in the Fix it wizard.

This wizard may apply to English versions only; however, the automatic fix also works for other language versions of Windows.

If
you are not on the computer that has the problem, save the Fix it
solution to a flash drive or a CD and then run it on the computer that
has the problem.

Let me fix it myself

Important This section, method, or task contains
steps that tell you how to modify the registry. However, serious
problems might occur if you modify the registry incorrectly. Therefore,
make sure that you follow these steps carefully. For added protection,
back up the registry before you modify it. Then, you can restore the
registry if a problem occurs. For more information about how to back up
and restore the registry, click the following article number to view the
article in the Microsoft Knowledge Base:

322756
(http://support.microsoft.com/kb/322756/
)
How to back up and restore the registry in Windows

To
configure the PDC master without using an external time source, change
the announce flag on the PDC master. The PDC master is the server that
holds the forest root PDC master role for the domain. This configuration
forces the PDC master to announce itself as a reliable time source and
uses the built-in complementary metal oxide semiconductor (CMOS) clock.
To configure the PDC master by using an internal hardware clock,
follow these steps:

At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

net stop w32time && net start w32time

Note
The PDC master must not be configured to synchronize with itself. For
more information about why the PDC master must not be configured to
synchronize with itself, visit the following Web site to view Request
For Comment (RFC) 1305:

If the PDC master is configured to synchronize with itself, the following events are logged in the System log:

Event Type: Information Event
Source: W32Time
Event Category: None
Event ID: 38
Computer: ComputerNameDescription: The time provider NtpClient cannot reach or is currently receiving invalid time data from NTP_server_IP_Address. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Computer: ComputerNameDescription: Time Provider NtpClient: No valid response has been received from manually configured peer NTP_server_IP_Address
after 8 attempts to contact it. This peer will be discarded as a time
source and NtpClient will attempt to discover a new peer with this DNS
name. For more information, see Help and Support Center at
http://support.microsoft.com.

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Computer: ComputerNameDescription: The time provider
NtpClient is configured to acquire time from one or more time sources,
however none of the sources are currently accessible. No attempt to
contact a source will be made for 15 minutes. NtpClient has no source of
accurate time. For more information, see Help and Support Center at
http://support.microsoft.com.

When the PDC master runs without using an external time source, the following event is logged in the Application log:

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 12Description: Time Provider NtpClient: This machine
is configured to use the domain hierarchy to determine its time source,
but it is the PDC emulator for the domain at the root of the forest, so
there is no machine above it in the domain hierarchy to use as a time
source. It is recommended that you either configure a reliable time
service in the root domain, or manually configure the PDC to synchronize
with an external time source. Otherwise, this machine will function as
the authoritative time source in the domain hierarchy. If an external
time source is not configured or used for this computer, you may choose
to disable the NtpClient.

This text is a reminder to use an external time source, and it can be ignored.

Configuring the Windows Time service to use an external time source

To have us help you configure an internal time server to synchronize with an external time source, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me

To fix this problem automatically, click the
Fix it
button or link. Click
Run
in the
File Download
dialog box, and follow the steps in the Fix it wizard.

Note If an authoritative time server that is configured to have an AnnounceFlag value of 0x5 does
not synchronize with an upstream time server, a client server may not
correctly synchronize with the authoritative time server when the time
synchronization between the authoritative time server and the upstream
time server resumes.

Therefore, if you have a poor network
connection or other concerns that may cause time synchronization failure
of the authoritative server to an upstream server, set the AnnounceFlag value to 0xA instead of 0x5.

Note Peers
is a placeholder for a space-delimited list of peers from which your
computer obtains time stamps. Each DNS name that is listed must be
unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.

In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.

In Edit DWORD Value, click to select Decimal in the Base box.

In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

Note TimeInSeconds
is a placeholder for a reasonable value, such as 1 hour (3600) or 30
minutes (1800). The value that you select will depend upon the poll
interval, network condition, and external time source.

In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.

In Edit DWORD Value, click to select Decimal in the Base box.

In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.

Note TimeInSeconds
is a placeholder for a reasonable value, such as 1 hour (3600) or 30
minutes (1800). The value that you select will depend upon the poll
interval, network condition, and external time source.

Quit Registry Editor.

At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

net stop w32time && net start w32time

NOTE: For a list of available time servers, see Microsoft KB Article 262680
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;262680)
- A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet

Troubleshooting

For the Windows Time service to function correctly,
the networking infrastructure must function correctly. The most common
problems that affect the Windows Time service include the following:

There is a problem with TCP/IP connectivity, such as a dead gateway.

The Name Resolution service is not working correctly.

The
network is experiencing high volume delays, especially when
synchronization occurs over high-latency wide area network (WAN) links.

The Windows Time service is trying to synchronize with inaccurate time sources.

We
recommend that you use the Netdiag.exe utility to troubleshoot
network-related issues. Netdiag.exe is part of the Windows Server 2003
Support Tools package. See Tools Help for a complete list of
command-line parameters that you can use with Netdiag.exe. If your
problem is still not solved, you can turn on the Windows Time service
debug log. Because the debug log can contain very detailed information,
we recommend that you contact Microsoft Product Support Services when
you turn on the Windows Time service debug log.

For a complete
list of Microsoft Product Support Services phone numbers and information
about support costs, visit the following Microsoft Web site:

Note In
special cases, charges that are ordinarily incurred for support calls
may be canceled if a Microsoft Support Professional determines that a
specific update will resolve your problem. The usual support costs will
apply to additional support questions and issues that do not qualify for
the specific update in question.

NTP
supports several different packet types. Typically, NTP clients and
Simple Network Time Protocol (SNTP) clients send client mode request
packets to an NTP server. The NTP server responds with a server mode
packet. To configure the W32time service to send symmetric active mode
packets instead of client mode packets to an NTP server, type the
following command at a command prompt:

w32tm /config /manualpeerlist:<server>,0x4 /syncfromflags:MANUAL

Note
Use the 0x8 flag to force W32time to send normal client requests
instead of symmetric active mode packets. The NTP servier replies to
these normal client requests as usual.

A computer that is configured to be a reliable time
source is identified as the root of the Windows Time service. The root
of the Windows Time service is the authoritative server for the domain
and typically is configured to retrieve time from an external NTP server
or hardware device. A time server can be configured as a reliable time
source to optimize how time is transferred throughout the domain
hierarchy. If a domain controller is configured to be a reliable time
source, the Net Logon service announces that domain controller as a
reliable time source when it logs on to the network. When other domain
controllers look for a time source to synchronize with, they select a
reliable source first, if one is available.

Manually-specified synchronization

With manually-specified synchronization, you can designate a single peer
or list of peers that a computer obtains time from. If the computer is
not a member of a domain, it must be manually configured to synchronize
with a specified time source. By default, a computer that is a member of
a domain is configured to synchronize from the domain hierarchy.
Manually-specified synchronization is most useful for the forest root of
the domain or for computers that are not joined to a domain. When you
manually specify an external NTP server to synchronize with the
authoritative computer for your domain, you provide reliable time.
However, to provide high accuracy and security to your domain, we
recommend that you configure the authoritative computer for your domain
to synchronize with a hardware clock.

Without a hardware time
source, W32time is configured as a NTP type. You must reconfigure the
MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries. The
recommended value should be 15 minutes or even lower, depending on time
source, network condition, and security requirement. This requirement
also applies to any reliable time source that is configured as the
forest root time source in the time sync subnet. For more information
about these registry entries, see the "Windows Time service registry
entries" section in this article.

Note Manually-specified
time sources are not authenticated unless a specific time provider is
written for them, and these time sources are therefore vulnerable to
attacks. Also, if a computer synchronizes with a manually-specified
source instead of its authenticating domain controller, the two
computers might be out of synchronization. This scenario causes Kerberos
authentication to fail and could also cause other actions that require
network authentication to fail, such as printing or file sharing. If
only the forest root is configured to synchronize with an external
source, all other computers within the forest remain synchronized with
each other. This configuration makes replay attacks difficult.

All available synchronization mechanisms

The "all available synchronization mechanisms"
option is the most valuable synchronization method for users on a
network. This method enables synchronization with the domain hierarchy
and may also provide an alternative time source if the domain hierarchy
becomes unavailable, depending on the configuration. If the client
cannot synchronize time with the domain hierarchy, the time source
automatically falls back to the time source that is specified by the NtpServer setting. This method of synchronization is most likely to provide accurate time to clients.

This
entry specifies the largest positive time correction in seconds that
the service makes. If the service determines that a change that is
larger than this is required, the service logs an event. (0xFFFFFFFF is a
special case that means always make a time correction.) The default
value for domain members is 0xFFFFFFFF. The default value for
stand-alone clients and servers is 54,000 or 15 hours.

Collapse this tableExpand this table

Registry Entry

MaxNegPhaseCorrection

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Notes

This
entry specifies the largest negative time correction in seconds that
the service makes. If the service determines that a change that is
larger than this is required, the service logs an event instead. (-1 is
a special case that means always make a time correction.) The default
value for domain members is 0xFFFFFFFF. The default value for
stand-alone clients and servers is 54,000 or 15 hours.

Collapse this tableExpand this table

Registry Entry

MaxPollInterval

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Note

This
entry specifies the largest interval, in log seconds, that is allowed
for the system polling interval. While a system must poll according to
the scheduled interval, a provider can refuse to produce samples when
requested. The default value for domain members is 10. The default value
for stand-alone clients and servers is 15.

This
entry specifies the special poll interval in seconds for manual peers.
When the SpecialInterval 0x1 flag is enabled, W32Time
uses this poll interval instead of a poll interval that is determined by
the operating system. The default value on domain members is 3,600. The
default value on stand-alone clients and servers is 604,800.

Collapse this tableExpand this table

Registry Entry

MaxAllowedPhaseOffset

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

Note

This
entry specifies the maximum offset, in seconds, for which W32Time tries
to adjust the computer clock by using the clock rate. When the offset
is greater than this rate, W32Time sets the computer clock directly. The
default value for domain members is 300. The default value for
stand-alone clients and servers is 1.